When a cookie is protected with the secure
attribute set to true it will not be send by the browser over an unencrypted HTTP
request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.
Ask Yourself Whether
- the cookie is for instance a session-cookie not designed to be sent over non-HTTPS communication.
- it’s not sure that the website contains mixed content or not
(ie HTTPS everywhere or not)
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- It is recommended to use
HTTPs
everywhere so setting the secure
flag to true should be the default behaviour
when creating cookies.
- Set the
secure
flag to true for session-cookies.
Sensitive Code Example
Using Flask:
from flask import Response
@app.route('/')
def index():
response = Response()
response.set_cookie('key', 'value') # Sensitive
return response
Using FastAPI:
from fastapi import FastAPI, Response
app = FastAPI()
@app.get('/')
async def index(response: Response):
response.set_cookie('key', 'value') # Sensitive
return {"message": "Hello world!"}
Compliant Solution
Using Flask:
from flask import Response
@app.route('/')
def index():
response = Response()
response.set_cookie('key', 'value', secure=True)
return response
Using FastAPI:
from fastapi import FastAPI, Response
app = FastAPI()
@app.get('/')
async def index(response: Response):
response.set_cookie('key', 'value', secure=True)
return {"message": "Hello world!"}
See